Amazon Detective Documentation

Amazon Detective is designed to analyze, investigate, and identify the root cause of potential security issues or suspicious activities. Amazon Detective collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that helps you to conduct faster and more efficient security investigations.

Amazon Detective can analyze events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and create a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize relevant details and context in one place to help you identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

Amazon Detective ingests and processes relevant data from your enabled accounts. Amazon Detective is designed to collect and analyze events from data sources, such as AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty findings, and maintains up to a year of aggregated data for analysis.

Amazon Detective can analyze events from many separate data sources regarding IP traffic, AWS management operations, and malicious or unauthorized activity to construct a graph model. The graph model is designed to distill log data using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The graph model is also prebuilt with security-related relationships, and summarizes contextual and behavioral insights that can help you to quickly validate, compare, and correlate the data to reach conclusions. Amazon Detective’s visualizations are powered by the graph model, and can help you to answer your investigative questions without the complexity of querying raw logs. For example, a graph can provide context and relationships around when an IP address connected to an EC2 instance, and the API calls that a role has issued in a specific time period.

Amazon Detective can analyze events from many separate data sources regarding IP traffic, AWS management operations, and malicious or unauthorized activity to construct a graph model. The graph model is designed to distill log data using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The graph model is also prebuilt with security-related relationships, and summarizes contextual and behavioral insights that can help you to quickly validate, compare, and correlate the data to reach conclusions. Amazon Detective’s visualizations are powered by the graph model, and can help you to answer your investigative questions without the complexity of querying raw logs. For example, a graph can provide context and relationships around when an IP address connected to an EC2 instance, and the API calls that a role has issued in a specific time period.

The Amazon Detective geolocation map shows you activity coming from newly observed locations that weren’t previously observed. This can help you to identify unusual activity and investigate if it is legitimate or suspicious.

The Overall API call volume shows you successful and failed calls in a specific time period and compares them to the established baseline. This can help you to identify patterns of abnormal activity and validate security findings.

Amazon Detective is integrated with AWS security services such as Amazon GuardDuty and AWS Security Hub, as well as AWS partner security products, to help you investigate security findings identified in these services. Using these integrated services, you can go to Amazon Detective and see events related to the finding, drill down into relevant historical activities, and investigate the issue.

Through the AWS Management Console, you can enable Amazon Detective. There is no software to deploy, agents to install, or complex configurations to maintain. There are also no data sources to enable. 

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.